Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: ac350b95 by Salvatore Bonaccorso at 2021-02-20T10:02:04+01:00 Add workaround entry for libzstd As so far no CVE assigned from the responsible CNA, add the temporary workaround in data/CVE/list to correctly track the fix. - - - - - 47d6e539 by Salvatore Bonaccorso at 2021-02-20T10:52:29+01:00 Process some NFUs - - - - - 8347d115 by Salvatore Bonaccorso at 2021-02-20T10:52:52+01:00 Add two new owncloud issues - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,5 +1,5 @@ CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382, each publis ...) - TODO: check + NOT-FOR-US: Visualware MyConnection Server CVE-2021-27508 RESERVED CVE-2021-27507 @@ -396,7 +396,7 @@ CVE-2021-27330 CVE-2021-27329 (Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or ...) NOT-FOR-US: Friendica CVE-2021-27328 (Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Trave ...) - TODO: check + NOT-FOR-US: Yeastar NeoGate TG400 91.3.0.3 devices CVE-2021-27327 RESERVED CVE-2021-27326 @@ -623,7 +623,7 @@ CVE-2021-27216 CVE-2021-27215 RESERVED CVE-2021-27214 (A Server-side request forgery (SSRF) vulnerability in the ProductConfi ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2021-27213 (config.py in pystemon before 2021-02-13 allows code execution via YAML ...) NOT-FOR-US: pystemon CVE-2019-25019 (LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant m ...) @@ -1449,6 +1449,7 @@ CVE-2021-26910 (Firejail before 0.9.64.4 allows attackers to bypass intended acc NOTE: https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/ CVE-2021-XXXX [zstd allows for race-opening files being compressed or uncompressed] - libzstd 1.4.8+dfsg-2 (bug #982519) + [buster] - libzstd 1.3.8+dfsg-3+deb10u2 NOTE: https://github.com/facebook/zstd/issues/2491 CVE-2019-XXXX [zstd adds read permissions to files while being compressed or uncompressed] - libzstd 1.4.8+dfsg-1 (bug #981404) @@ -3976,7 +3977,7 @@ CVE-2021-3212 CVE-2021-3211 RESERVED CVE-2021-3210 (components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound &l ...) - TODO: check + NOT-FOR-US: Bloodhound CVE-2021-3209 RESERVED CVE-2021-3208 @@ -3988,7 +3989,7 @@ CVE-2021-3206 CVE-2021-3205 RESERVED CVE-2021-3204 (SSRF in the document conversion component of Webware Webdesktop 5.1.15 ...) - TODO: check + NOT-FOR-US: Webware Webdesktop CVE-2021-3203 RESERVED CVE-2021-3202 @@ -10759,11 +10760,11 @@ CVE-2021-22705 CVE-2021-22704 RESERVED CVE-2021-22703 (A CWE-319: Cleartext transmission of sensitive information vulnerabili ...) - TODO: check + NOT-FOR-US: PowerLogic CVE-2021-22702 (A CWE-319: Cleartext transmission of sensitive information vulnerabili ...) - TODO: check + NOT-FOR-US: PowerLogic CVE-2021-22701 (A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLog ...) - TODO: check + NOT-FOR-US: PowerLogic CVE-2021-22700 RESERVED CVE-2021-22699 @@ -14980,7 +14981,7 @@ CVE-2021-21320 CVE-2021-21319 RESERVED CVE-2021-21318 (Opencast is a free, open-source platform to support the management of ...) - TODO: check + NOT-FOR-US: Opencast CVE-2021-21317 (uap-core in an open-source npm package which contains the core of Brow ...) NOT-FOR-US: Node uap-core CVE-2021-21316 (less-openui5 is an npm package which enables building OpenUI5 themes w ...) @@ -16771,9 +16772,9 @@ CVE-2021-20590 CVE-2021-20589 RESERVED CVE-2021-20588 (Improper handling of length parameter inconsistency vulnerability in M ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2021-20587 (Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Eng ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2021-20586 (Resource management errors vulnerability in a robot controller of MELF ...) NOT-FOR-US: Mitsubishi CVE-2021-20585 @@ -27505,7 +27506,7 @@ CVE-2020-27999 CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It lacks a Scri ...) NOT-FOR-US: FastReport CVE-2020-27997 (An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross S ...) - TODO: check + NOT-FOR-US: SmartStoreNET CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does not pro ...) NOT-FOR-US: SmartStoreNET CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14 before 1456 ...) @@ -34948,7 +34949,7 @@ CVE-2020-25173 (An attacker with local network access can obtain a fixed cryptog CVE-2020-25172 (A relative path traversal attack in the B. Braun OnlineSuite Version A ...) NOT-FOR-US: B. Braun OnlineSuite Version AP CVE-2020-25171 (The affected Fuji Electric V-Server Lite versions prior to 3.3.24.0 ar ...) - TODO: check + NOT-FOR-US: Fuji Electric CVE-2020-25170 (An Excel Macro Injection vulnerability exists in the export feature in ...) NOT-FOR-US: B. Braun OnlineSuite Version AP CVE-2020-25169 (The affected Reolink P2P products do not sufficiently protect data tra ...) @@ -36156,7 +36157,7 @@ CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020. ...) NOT-FOR-US: JetBrains CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribe ...) - TODO: check + NOT-FOR-US: Mailtrain CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...) - jackson-databind 2.12.1-1 [buster] - jackson-databind <no-dsa> (Minor issue) @@ -36660,7 +36661,7 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/22cf8419f1319ff87ec759d0ebdff4cbafaee832 CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...) - TODO: check + NOT-FOR-US: TweetStream CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...) TODO: check CVE-2020-24391 @@ -60826,7 +60827,7 @@ CVE-2020-13551 (An exploitable local privilege elevation vulnerability exists in CVE-2020-13550 (A local file inclusion vulnerability exists in the installation functi ...) NOT-FOR-US: Advantech WebAccess/SCADA CVE-2020-13549 (An exploitable local privilege elevation vulnerability exists in the f ...) - TODO: check + NOT-FOR-US: Sytech XL Reporter CVE-2020-13548 (In Foxit Reader 10.1.0.37527, a specially crafted PDF document can tri ...) NOT-FOR-US: Foxit Reader CVE-2020-13547 (A type confusion vulnerability exists in the JavaScript engine of Foxi ...) @@ -62400,7 +62401,7 @@ CVE-2020-12875 (Veritas APTARE versions prior to 10.4 did not perform adequate a CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that bypassed the ...) NOT-FOR-US: Veritas CVE-2020-12873 (An issue was discovered in Alfresco Enterprise Content Management (ECM ...) - TODO: check + NOT-FOR-US: Alfresco Enterprise Content Management (ECM) CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ...) - erlang 1:21.2.6+dfsg-1 (low) [stretch] - erlang 1:19.2.1+dfsg-2+deb9u3 @@ -63027,7 +63028,7 @@ CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier affecting the Save functi CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authentic ...) - dolibarr <removed> CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by calling Java ...) - TODO: check + NOT-FOR-US: Jinjava CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...) - knot-resolver 5.1.1-0.1 (bug #961076) NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ @@ -63854,7 +63855,7 @@ CVE-2020-12376 (Use of hard-coded key in the BMC firmware for some Intel(R) Serv CVE-2020-12375 (Heap overflow in the BMC firmware for some Intel(R) Server Boards, Ser ...) NOT-FOR-US: Intel CVE-2020-12374 (Buffer overflow in the BMC firmware for some Intel(R) Server Boards, S ...) - TODO: check + NOT-FOR-US: Intel CVE-2020-12373 (Expired pointer dereference in some Intel(R) Graphics Drivers before v ...) NOT-FOR-US: Intel graphics drivers for Windows CVE-2020-12372 (Unchecked return value in some Intel(R) Graphics Drivers before versio ...) @@ -70900,11 +70901,11 @@ CVE-2020-10256 (An issue was discovered in beta versions of the 1Password comman CVE-2020-10255 (Modern DRAM chips (DDR4 and LPDDR4 after 2015) are affected by a vulne ...) NOT-FOR-US: Hardware vulnerabliity in DDR4 DRAM chips CVE-2020-10254 (An issue was discovered in ownCloud before 10.4. An attacker can bypas ...) - TODO: check + - owncloud <removed> CVE-2020-10253 RESERVED CVE-2020-10252 (An issue was discovered in ownCloud before 10.4. Because of an SSRF is ...) - TODO: check + - owncloud <removed> CVE-2020-10251 (In ImageMagick 7.0.9, an out-of-bounds read vulnerability exists withi ...) - imagemagick 8:6.9.11.24+dfsg-1 (low; bug #953741) [buster] - imagemagick <ignored> (Minor issue) @@ -73797,7 +73798,7 @@ CVE-2020-9052 CVE-2020-9051 RESERVED CVE-2020-9050 (Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) ...) - TODO: check + NOT-FOR-US: Metasys Reporting Engine (MRE) Web Services CVE-2020-9049 (A vulnerability in specified versions of American Dynamics victor Web ...) NOT-FOR-US: Sensormatic Electronics, LLC; a subsidiary of Johnson Controls CVE-2020-9048 (A vulnerability in specified versions of American Dynamics victor Web ...) @@ -99339,7 +99340,7 @@ CVE-2019-18257 (In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, mu CVE-2019-18256 (BIOTRONIK CardioMessenger II, The affected products use individual per ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18255 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...) - TODO: check + NOT-FOR-US: HMI/SCADA iFIX CVE-2019-18254 (BIOTRONIK CardioMessenger II, The affected products do not encrypt sen ...) NOT-FOR-US: BIOTRONIK CardioMessenge CVE-2019-18253 (An attacker could use specially crafted paths in a specific request to ...) @@ -99363,7 +99364,7 @@ CVE-2019-18245 (Reliable Controls LicenseManager versions 3.4 and prior may allo CVE-2019-18244 (In OSIsoft PI System multiple products and versions, a local attacker ...) NOT-FOR-US: OSIsoft CVE-2019-18243 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...) - TODO: check + NOT-FOR-US: HMI/SCADA iFIX CVE-2019-18242 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...) NOT-FOR-US: Moxa CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd1859a8870126abf487e5b007ba1e2bedfa687a...8347d115940b73610d69cd2c0b6e9cdebf247666 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd1859a8870126abf487e5b007ba1e2bedfa687a...8347d115940b73610d69cd2c0b6e9cdebf247666 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits